The idea

Some access points give you only DNS and nothing else. Basically just enough so you can be tempted to browse the web and then get on their captive portal and be forced to pay a small fortune for your internet access..

Well, DNS is great and sometimes all you need.

(The above also applies to IcmpTunnel, but is outside the scope of this article.)

Quick Guide

Install iodine and sshutle

Start a new screen or tmux as root

root$ iodine -f -P <PASSWORD>

In another screen or tmux, as your regular user

user$ sshuttle -r <USERNAME>@ 0/0

and voilà!

Preferably use mosh to ssh into shell.k.n or anything else, it will reconnect you if the connection drops. You won't be able to watch TV with this, but you can email, irc and do other stuff that are not heavy.

Password is located at or just ask you friendly sysadmins :)

The software

Common configuration: routing

All tunnels described here only take care of connecting two ends of the tunnel, it doesn't actually do any routing beyond that. What this means is that out of the box, the tunnels are not sufficient to provide routing over the whole internet. For that you need to configure a NAT router on the tunnel endpoint.

This is generally done with iptables, but anything would do. An example:

In /etc/iptables.conf:

-A FORWARD -i eth0 -o eth1 -j REJECT --reject-with icmp-port-unreachable 

This configuration can be loaded with:

iptables-restore < /etc/iptables.conf

To make that permanent, the "debian way" is to enable it in /etc/network/interfaces:

iface eth0 inet static
  pre-up iptables-restore < /etc/iptables-nstx.conf

You also need to enable IP forwarding:

sysctl net.ipv4.ip_forward = 1

Edit /etc/sysctl.conf to make that permanent.

sshuttle (easier routing alternative)

Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling.

Just install the sshuttle package and run this command once the tunnel has been set with Iodine:

sshuttle -r <your_user_on_tunnel.k.n>@ 0/0


iodine is the cadillac of DNS tunnels. It requires very little manual configuration, has a well defined protocol and most importantly, supports authentication with a shared password. It works like a charm, both in linux and windows.

Server config

apt-get install iodine

(!) Since iodine uses a specific protocol, you need to have the same version on both the server and the client. Lenny has a backport of 0.5 for that reasone.

By default, the debian package doesn't start the tunnel. You can use dpkg-reconfigure iodine to make it start automatically, or edit /etc/default/iodine to give it the required parameters:

IODINED_PASSWORD="(ask a sysadmin)"

Then start the server using /etc/init.d/iodine start.

Client config

apt-get install iodine fping ipcalc gawk

(!) Since iodine uses a specific protocol, you need to have the same version on both the server and the client. Lenny has a backport of 0.5 for that reason.

Debian provides a handy script to automatically start the tunnel. Just use iodine-client-start and answer the questions. You can also write your settings in /etc/default/iodine-client:

passwd="(ask a sysadmin)"

fping is optional: it's used by the script to verify the tunnel works.

To enable routing over the network, add the endpoint as a default gateway:

route add default gw

Note that you can run the client as a regular user. But you need to add /usr/sbin into your path so that iodine can find ifconfig and other commands.

Le routage normal ne fonctionne pas vraiment avec le tunnel iodine en ce moment. Ce qu'on peut faire par contre c'est ssh vers, qui est Ensuite de là on peut sortir ailleurs sur internet. On peut aussi utiliser qqch comme sshuttle qui utilise une connexion ssh pour en faire un genre de VPN pour tout le trafic TCP.


Very impressive. I can run a complete shell with irssi turning the seconds clock very reliably. It's still low bandwidth, but I see almost no packet loss and a surprisingly low latency:

--- ping statistics ---
61 packets transmitted, 60 received, 1% packet loss, time 60100ms
rtt min/avg/max/mdev = 50.658/57.011/92.545/5.753 ms

NSTX (osbolete)

My first experience with this was with the nstx package, which works well as a proof of concept, but is quite slow, drops packets and has duplicates. I nevertheless include it here as it works and has given me great service over the years.

nstx is availble through Debian (see nstx) and requires some manual configuration to work right, which can be annoying. Here's what works for me:

Server config

In /etc/default/nstx:


In /etc/network/interfaces:

iface tun0 inet static
  pre-up iptables-restore < /etc/iptables-nstx.conf

Client config

In /etc/default/nstx:

NSTX_DNS_SERVER=`grep nameserver /etc/resolv.conf |head -1|awk '{print $2}'`

In /etc/network/interfaces:

iface tun0 inet static
        mtu 500 #optional
        post-up route del default ; route add -net default gw


A ping sequence shows a lot of duplicate packets, packet losses, misordering and high latency:

--- ping statistics ---
64 packets transmitted, 53 received, +6 duplicates, 17% packet loss, time 63167ms
rtt min/avg/max/mdev = 15.834/1313.995/8406.465/2483.755 ms, pipe 9

... but it works!

Success stories & testimonials

Wifi is now widely available and free on many greyhound buses and airports...also power outlets!

Still, some air companies offer ridiculously high priced wifi in their planes ($20 for 30mins, or $65+ for a monthly subscription...)

Now with Iodine, you can log onto your favorite IRC channel and tell all your friends how terrible your wifi is while in the air and in real time!


DnsTunnel (last edited 2017-02-14 19:28:47 by Alexandru)